-
Notifications
You must be signed in to change notification settings - Fork 0
Third Party Tools, Etc.
Firewall App is an OpneFlow based firewall. This Ryu App makes an OpenFlow
switch work as a firewall.
This firewall works as a packet filter for incoming traffic into the switch.
Firewall App can start by the following command.
$ PYTHONPATH=. ./bin/ryu-manager --verbose --wsapi-host=<HOST> --wsapi-port=<PORT> ryu/app/rest_firewall.pyWhen wsapi-host / wsapi-port option is omitted, the REST API listen to "localhost:8080".
You can control the firewall by following REST API.
-
Get status of all firewall switches
GET /firewall/module/status
$ curl http://localhost:8080/firewall/module/status
{"switch_id: 0000000000000001": {"status": "disable"}}-
Set enable the firewall switches
PUT /firewall/module/enable/{switch-id}
{switch-id} is 'all' or switchID
$ curl -X PUT http://localhost:8080/firewall/module/enable/0000000000000001
{"switch_id: 0000000000000001": {"result": "success", "details": "firewall running."}}
$ curl http://localhost:8080/firewall/module/status
{"switch_id: 0000000000000001": {"status": "enable"}}-
Set disable the firewall switches
PUT /firewall/module/disable/{switch-id}
{switch-id} is 'all' or switchID
$ curl -X PUT http://localhost:8080/firewall/module/disable/0000000000000001
{"switch_id: 0000000000000001": {"result": "success", "details": "firewall stopped."}}
$ curl http://localhost:8080/firewall/module/status
{"switch_id: 0000000000000001": {"status": "disable"}}-
Get rules of the firewall switches
GET /firewall/rules/{switch-id}
{switch-id} is 'all' or switchID
$ curl http://localhost:8080/firewall/rules/all
{"switch_id: 0000000000000001": {}}-
Set a rule to the firewall switches
POST /firewall/rules/{switch-id}
{switch-id} is 'all' or switchID
$ curl -X PUT http://localhost:8080/firewall/module/enable/0000000000000001
{"switch_id: 0000000000000001": {"result": "success", "details": "firewall running."}}
$ curl -X POST http://localhost:8080/firewall/rules/0000000000000001 \
-d '{"priority":10, "in_port":"1", "dl_type":"IPv4", "nw_proto":"ICMP", "nw_dst":"10.0.0.2", "actions":"ALLOW"}'
{"switch_id: 0000000000000001": {"result": "success", "details": "Rule added. : rule_id=1"}}
$ curl http://localhost:8080/firewall/rules/all
{"switch_id: 0000000000000001": {"rule_id: 1": {"priority": 10, "dl_type": "IPv4", "nw_proto": "ICMP", "actions": "ALLOW", "nw_dst": "10.0.0.2", "in_port": 1}}}| Key | Description |
|---|---|
| priority | Priority of a flow entry for the firewall rule |
| in_port | Input port to match with the rule |
| src_mac | Source MAC address |
| dl_dst | Destination MAC address |
| dl_type | Ethernet frame type ARP IPv4 |
| nw_src | Source IP address |
| nw_dst | Destination IP address |
| tp_src | Source Port number |
| tp_dst | Destination Port number |
| nw_proto | IP Protocol TCP UDP ICMP |
| actions | Firewall action ALLOW DENY |
-
Delete a rule of the firewall switches from ruleID
DELETE /firewall/rules/{switch-id}
{switch-id} is 'all' or switchID
$ curl -X DELETE http://localhost:8080/firewall/rules/0000000000000001 \
-d '{"rule_id": 1}'
{"switch_id: 0000000000000001": {"result": "success", "details": "Rule deleted. : ruleID=1,"}}
$ curl http://localhost:8080/firewall/rules/all
{"switch_id: 0000000000000001": {}}| Key | Description |
|---|---|
| rule_id | ID of the rule to be deleted |